CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdf
CISSP:
Certified Information
Systems Security Professional
Study Guide
2nd Edition
CISSP®:
Certified Information
Systems Security Professional
Study Guide
2nd Edition
Ed Tittel
James Michael Stewart
Mike Chapple
San Francisco • London
Associate Publisher: Neil Edde
Acquisitions and Developmental Editor: Heather O’Connor
Production Editor: Lori Newman
Technical Editor: Patrick Bass
Copyeditor: Judy Flynn
Compositor: Craig Woods, Happenstance Type-O-Rama
Graphic Illustrator: Happenstance Type-O-Rama
CD Coordinator: Dan Mummert
CD Technician: Kevin Ly
Proofreaders: Laurie O’Connell, Nancy Riddiough
Indexer: Ted Laux
Book Designer: Bill Gibson, Judy Fung
Cover Designer: Archer Design
Cover Photographer: Victor Arre, Photodisc
Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher.
First edition copyright © 2003 SYBEX Inc.
Library of Congress Card Number: 2003115091
ISBN: 0-7821-4335-0
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries.
Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved.
FullShot is a trademark of Inbit Incorporated.
The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com.
This study guide and/or material is not sponsored by, endorsed by or affiliated with International Information Systems Security Certification Consortium, Inc. (ISC)2® and CISSP® are registered service and/or trademarks of the International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
To Our Valued Readers:
Thank you for looking to Sybex for your CISSP exam prep needs. We at Sybex are proud of our reputation for providing certification candidates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace. Certification candidates have come to rely on Sybex for accurate and accessible instruction on today’s crucial technologies. For the second year in a row, readers such as you voted Sybex as winner of the “Best Study Guides” category in the 2003 CertCities Readers Choice Awards.
The author and editors have worked hard to ensure that the new edition of the CISSP®: Certified Information Systems Security Professional Study Guide you hold in your hands is comprehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the demanding standards of the certification marketplace and help you, the CISSP certification candidate, succeed in your endeavors.
As always, your feedback is important to us. If you believe you’ve identified an error in the book, please send a detailed e-mail to support@sybex.com. And if you have general comments or suggestions, feel free to drop me a line directly at nedde@sybex.com. At Sybex we’re continually striving to meet the needs of individuals preparing for certification exams.
Good luck in pursuit of your CISSP certification!
Neil Edde
Associate Publisher—Certification
Sybex, Inc.
Software License Agreement: Terms and Conditions
The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms.
The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media.
In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties (“End-User License”), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses.
By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time.
Software Support
Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media.
Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s).
Warranty
SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media
during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to:
SYBEX Inc.
Product Support Department 1151 Marina Village Parkway Alameda, CA 94501
Web: http://www.sybex.com
After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX.
Disclaimer
SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting.
The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions.
Shareware Distribution
This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files.
Copy Protection
The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.
Acknowledgments
Thanks to Neil Edde and Jordan Gold at Sybex for helping us hook up with this project; thanks also to Rodnay Zaks for numerous fine gastronomic experiences and for an even greater number of good ideas. But Neil wins the “great gastronomy prize” for taking me to Chez Panisse for lunch the last time I visited Sybex’s Alameda offices. Thanks to my mom and dad for providing me with the basic tools to become a writer and trainer: an inquiring mind, plus good verbal and debating skills. Thanks to Dina Kutueva, not just for marrying me and completing my life, but also for her magnificent efforts and sacrifices in delivering our beautiful son, Gregory E. Tittel, in February 2004. You rule my world! And finally, thanks to the whole historical LANWrights gang—Dawn, Mary, Kim, Bill, Chelsea, Natanya, and Michael—for 10 great years of camaraderie, collaboration, and the occasional success. You guys are the greatest; I couldn’t have done it without you! I'm sorry we haven't all been able to stay together, but I'll always value our time together and our continuing friendships.
—Ed Tittel
Thanks to Ed Tittel and LANWrights, Inc. for allowing me to contribute to the revision of this book. Working with you guys is and always has been a pleasure. Thanks to my editor Dawn Rader for putting up with my bad grammar. Thanks to my third co-author, Mike Chapple, for helping make this book all it could be. To my parents, Dave and Sue, thanks for your love and consistent support. To my sister Sharon and nephew Wesley, it’s great having family like you to spend time with. To Mark, it’s time we bolth got a life. To HERbert and Quin, it’s great having two furry friends around the house. And finally, as always, to Elvis—where did you get that shiny gold suit? I want to wear it around town to blind anyone who gazes in my direction.
—James Michael Stewart
I’d like to thank Ed Tittel, Dawn Rader, and the team at LANWrights, Inc. for their assistance with this project. I also owe a debt of gratitude to the countless technical experts in government and industry who’ve patiently answered my questions and fueled my passion for security over the years. Above all, I’d like to thank my wife Renee for her undying patience as I worked on this book. Without her support, this never would have been possible.
—Mike Chapple
Contents at a Glance
Introduction |
|
xxiii |
|
Assessment Test |
|
xxx |
|
Chapter |
1 |
Accountability and Access Control |
1 |
Chapter |
2 |
Attacks and Monitoring |
31 |
Chapter |
3 |
ISO Model, Network Security, and Protocols |
55 |
Chapter |
4 |
Communications Security and Countermeasures |
99 |
Chapter |
5 |
Security Management Concepts and Principles |
129 |
Chapter |
6 |
Asset Value, Policies, and Roles |
149 |
Chapter |
7 |
Data and Application Security Issues |
179 |
Chapter |
8 |
Malicious Code and Application Attacks |
219 |
Chapter |
9 |
Cryptography and Private Key Algorithms |
253 |
Chapter |
10 |
PKI and Cryptographic Applications |
287 |
Chapter |
11 |
Principles of Computer Design |
317 |
Chapter |
12 |
Principles of Security Models |
361 |
Chapter |
13 |
Administrative Management |
395 |
Chapter |
14 |
Auditing and Monitoring |
421 |
Chapter |
15 |
Business Continuity Planning |
449 |
Chapter |
16 |
Disaster Recovery Planning |
475 |
Chapter |
17 |
Law and Investigations |
507 |
Chapter |
18 |
Incidents and Ethics |
541 |
Chapter |
19 |
Physical Security Requirements |
563 |
Glossary |
|
|
591 |
Index |
|
|
649 |
Contents
Introduction |
|
|
xxiii |
Assessment Test |
|
xxx |
|
Chapter |
1 |
Accountability and Access Control |
1 |
|
|
Access Control Overview |
2 |
|
|
Types of Access Control |
2 |
|
|
Access Control in a Layered Environment |
4 |
|
|
The Process of Accountability |
5 |
|
|
Identification and Authentication Techniques |
7 |
|
|
Passwords |
7 |
|
|
Biometrics |
10 |
|
|
Tokens |
13 |
|
|
Tickets |
14 |
|
|
Access Control Techniques |
15 |
|
|
Access Control Methodologies and Implementation |
17 |
|
|
Centralized and Decentralized Access Control |
17 |
|
|
RADIUS and TACACS |
18 |
|
|
Access Control Administration |
19 |
|
|
Account Administration |
19 |
|
|
Account, Log, and Journal Monitoring |
20 |
|
|
Access Rights and Permissions |
20 |
|
|
Summary |
21 |
|
|
Exam Essentials |
22 |
|
|
Review Questions |
24 |
|
|
Answers to Review Questions |
28 |
Chapter |
2 |
Attacks and Monitoring |
31 |
|
|
Monitoring |
32 |
|
|
Intrusion Detection |
33 |
|
|
Host-Based and Network-Based IDSs |
33 |
|
|
Knowledge-Based and Behavior-Based Detection |
35 |
|
|
IDS-Related Tools |
36 |
|
|
Penetration Testing |
37 |
|
|
Methods of Attacks |
37 |
|
|
Brute Force and Dictionary Attacks |
38 |
|
|
Denial of Service |
40 |
|
|
Spoofing Attacks |
43 |
|
|
Man-in-the-Middle Attacks |
43 |
|
|
Sniffer Attacks |
44 |